Overview
- Access Now, Lookout, and SMEX, which published coordinated reports Wednesday, detailed a multi-year espionage effort against journalists, activists, and some officials across the Middle East and North Africa.
- Attackers ran tailored phishing to steal Apple ID logins and two-factor codes to pull iCloud backups, tried to hijack Signal by adding a new device, and pushed ProSpy Android malware disguised as apps like WhatsApp, Signal, Zoom, ToTok, and Botim.
- Researchers linked the tools and servers to the Bitter APT’s known infrastructure and tactics and concluded the activity was likely hack-for-hire with suspected ties to India, while noting they could not confirm direct government involvement.
- Targets named in the reports included Egyptian journalists Mostafa Al‑A’sar and Ahmed Tantawy, and a prominent Lebanese journalist whose Apple account was taken over in 2025 using the same phishing infrastructure.
- Lookout said the campaign also reached beyond civil society to entities in Bahrain and Egypt and to users in the UAE, Saudi Arabia, the UK, and possibly the US, underscoring how outsourced surveillance offers cheaper access and plausible deniability that press-freedom groups warn endangers sources and reporting.